none
BitLocker - Removable Media RRS feed

  • Question

  • Our system consist of computers with Windows 10 - 64 bit. We have dell computers with TPM and utilize BitLocker. We utilize Active Directory to store all BitLocker keys automatically. The issue has arose where users are placing non-encrypted flash drives into our computers. They are prompted to encrypt the drive with "BitLocker to Go" and they select no as these flash drives must remain unencrypted to work with specialized instruments.


    The users are able to view and copy data from the flash drive to the computers, which is logical and needed. The problem occurs when the users are trying to delete data from the removable flash drive. With BitLocker, there is no option to delete files from removable media. BitLocker is used to stop individuals from taking files/data off of the computers to removable media, unless that removable media is encrypted with BitLokcer itself. But Bitlocker should also allow users to copy data from the flash drive to the computers, which it does. Lastly, it would seem that there should be no issue deleting files from a non-encrypted removable drive because it doesn't interfere with BitLocker's role/job. Of course, if the removable media is encrypted with BitLocker, then files can be deleted from the removable media.


    Is it so that BitLocker does block the deletion of data from non-encrypted removable media? Is there anyway to overcome this issue? Eventually data will need to be deleted from non-encrypted removable media for auditing purposes.

    Thanks,

    Joshua

    Friday, September 29, 2017 4:47 PM

Answers

  • Deleting=writing, and writing is prohibited to non-bitlocked drives - that's the problem. No way around.
    Tuesday, October 3, 2017 8:56 PM

All replies

  • Deleting=writing, and writing is prohibited to non-bitlocked drives - that's the problem. No way around.
    Tuesday, October 3, 2017 8:56 PM
  • Hi,

    You'd better check the policy in domain, which is located at 

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

    If the policy is enabled, only drives with identification fields that match the computer's identification fields are given Write access.

    For more details, please refer to

     https://technet.microsoft.com/en-us/library/jj679890%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396#BKMK_driveaccess2


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 6, 2017 8:48 AM
  • Irrelevant, since this question is about unencrypted drives.
    Friday, October 6, 2017 9:30 AM
  • That's what I expected. I was just hoping there was a way around it. It seems we will have to keep a computer without BitLocker for auditing purposes just to clear these removable media, unless Microsoft can establish a difference between writing and deleting.
    Monday, October 9, 2017 1:36 PM